The text explains one of the tools from the “experimental” portion of the class, “MS06040Scanner”:
The second slide demonstrates the “X-Scan” tool which would be used to find vulnerabilities allowing data exfiltration.
Here’s how the indictment describes the “Manner and Means of the Conspiracy” —
“The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information (“PII”) of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.
The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy. They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students’ PII from an education company; and weapon designs and testing data from defense contractors.
The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products. Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. … They also targeted insecure default configurations in common applications.”
The defendants used their initial access to place a “web shell” on the victim network, allowing remote execution of commands on a computer. The most frequently deployed was the “China Chopper” web shell. They most frequently did so by hiding the file with the name “p.jsp” in an obscure directory on a public-facing website. (They also sometimes named their webshell’s “tst.jsp”, “i.jsp”, or “/SQLTrace/i.jsp”.) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post “Breaking down the China Chopper
” … if you are interested, you should also read the Talos Blog post: “China Chopper still active 9 years later
|(FireEye explains China Chopper)|
They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data. The data was compressed as a .RAR file, but then often renamed as a “.jpg” file and placed in the victim’s recycle bin until it could be retrieved.
The indictment makes clear that there were “hundreds” of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered.
Victim 1: California-based technology and defense firm
Dec 2014-Jan 2015
200GB “Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results.”
Victim 2: Maryland-based technology and manufacturing firm – 64GB
Victim 3: Hanford Site, Department of Energy, Washington State – information about network and personnel, including lists of authorized users and administrator accounts
Victim 4: Texas: 27GB of space and satellite application data
Victim 5: Virginia Federal Defense contractor – 140GB of project files, drawings and documents related to Air Force and FBI investigations. PII on 300+ employees
There were many more victims detailed, including:
a US Educational Software company with “millions of students and teachers’ PII.” breached from Nov 2018 to Feb 2019,
a California pharmaceutical company – 105GB of data in Feb and March 2019
a Massachusetts medical device company – 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.
Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.
The Hackers’ MSS Connection
The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed “MSS Officer 1.”
“After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1.”
“Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government’s Ministry of STate Security (“MSS”). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, “GSSD”).
“When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems.
In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including:
- a Hong Kong community organizer
- the pastor of a Christian church in Xi’an
- a dissident and former Tiananmen Square protestor
- emails to and from the office of the Dalai Lama
- emails belonging to Chinese Christian “house” church pastor in Chengdu (who was later arrested)
- emails form a US professor and organizer
- two Canadian residents who advocate for freedom and democracy in Hong Kong
MSS Officer 1 assisted LI and other hackers. When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.
MSS Officer 1 claimed to be a researcher at the “Guangdong Province International Affairs Research Center” but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.
Example Tools and Techniques
In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named “cfm backdoor by ufo.” (This tool was actually used in a cool Canadian Government Training on APT groups
, although in their training it was an Iranian hacker group using the tool.)
In some cases, the hackers were clearly operating for personal profit. Sometimes sending emails with subjects like “Source Code To Be Leaked!” and demanding a ransom payment to prevent publication of their software.
On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.
On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19.
On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits.
On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.